7.8 High
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
7.2 High
CVSS2
Access Vector
LOCAL
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:L/AC:L/Au:N/C:C/I:C/A:C
An elevation of privilege vulnerability exists in the way that the Windows Kernel handles objects in memory, aka ‘Windows Kernel Elevation of Privilege Vulnerability’. This CVE ID is unique from CVE-2020-0669, CVE-2020-0670, CVE-2020-0671, CVE-2020-0672.
Recent assessments:
bwatters-r7 at April 27, 2020 4:17pm UTC reported:
This is a complex and poorly-defined vulnerability.
Microsoft’s description from <https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0668> is essentially useless:
“An elevation of privilege vulnerability exists in the way that the Windows Kernel handles objects in memory. An attacker who successfully exploited the vulnerability could execute code with elevated permissions. To exploit the vulnerability, a locally authenticated attacker could run a specially crafted application. “
There is little surprise that there exists some confusion about the vulnerability.
Contrary to the earlier poster, I do not believe that this is a System Orchestrator bug. I agree with <https://packetstormsecurity.com/files/cve/CVE-2020-0668> and think the vulnerability is in the Remote Access Service. Part of the confusion is that the vulnerability is a file overwrite vulnerability, and many PoCs are leveraging a dll-hijacking vulnerability in the system orchestrator service to gain code execution after the trusted file write takes place.
The Remote Access Service runs as system and creates a log of its actions called RASTAPI.LOG. Once the RASTAPI.LOG reaches a defined size, the Remote Access Service copies RASTAPI.LOG to RASTAPI.OLD in the same directory.
The issue is twofold. First, the behavior of the Remote Access Service Tool API is defined by three registry keys:
HKLM\SOFTWARE\Microsoft\Tracing\RASTAPI\EnableFileTracing
HKLM\SOFTWARE\Microsoft\Tracing\RASTAPI\FileDirectory
HKLM\SOFTWARE\Microsoft\Tracing\RASTAPI\new_size
These three registry keys allow a user to turn on the RASTAPI and configure the size and location of the log file. These registry keys are writable by a regular user.
The second issue is that the RAST service performs only a trivial check on the filesystem location of the RASTAPI.OLD destination. If an attacker creates a filesystem link between the old
log destination (i.e. C:\users\user\temp\RASTAPI.OLD) and a trusted location (C:\windows\system32\badfile.dll), RASDIALER will copy the old log file to the linked location as the SYSTEM user. Because there is a file hijacking vulnerability in the System Orchestrator service, many PoCs use the location C:\Windows\System32\WindowsCoreDeviceInfo.dll, which does not exist in a default configuration, but System Orchestrator Service will load if it does exist,
The attack looks something like:
Many PoC exploits leverage <https://github.com/googleprojectzero/symboliclink-testing-tools> which allow for the manipulation of symbolic links and mount points and also <https://github.com/itm4n/UsoDllLoader> to start the System Orchestrator service to launch the dll.
While the exploit is difficult, there are several PoC exes out there, and a metasploit module in progress, so I consider the exploitability relatively easy, though the exploit itself is difficult.
FULLSHADE at April 21, 2020 5:01pm UTC reported:
This is a complex and poorly-defined vulnerability.
Microsoft’s description from <https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0668> is essentially useless:
“An elevation of privilege vulnerability exists in the way that the Windows Kernel handles objects in memory. An attacker who successfully exploited the vulnerability could execute code with elevated permissions. To exploit the vulnerability, a locally authenticated attacker could run a specially crafted application. “
There is little surprise that there exists some confusion about the vulnerability.
Contrary to the earlier poster, I do not believe that this is a System Orchestrator bug. I agree with <https://packetstormsecurity.com/files/cve/CVE-2020-0668> and think the vulnerability is in the Remote Access Service. Part of the confusion is that the vulnerability is a file overwrite vulnerability, and many PoCs are leveraging a dll-hijacking vulnerability in the system orchestrator service to gain code execution after the trusted file write takes place.
The Remote Access Service runs as system and creates a log of its actions called RASTAPI.LOG. Once the RASTAPI.LOG reaches a defined size, the Remote Access Service copies RASTAPI.LOG to RASTAPI.OLD in the same directory.
The issue is twofold. First, the behavior of the Remote Access Service Tool API is defined by three registry keys:
HKLM\SOFTWARE\Microsoft\Tracing\RASTAPI\EnableFileTracing
HKLM\SOFTWARE\Microsoft\Tracing\RASTAPI\FileDirectory
HKLM\SOFTWARE\Microsoft\Tracing\RASTAPI\new_size
These three registry keys allow a user to turn on the RASTAPI and configure the size and location of the log file. These registry keys are writable by a regular user.
The second issue is that the RAST service performs only a trivial check on the filesystem location of the RASTAPI.OLD destination. If an attacker creates a filesystem link between the old
log destination (i.e. C:\users\user\temp\RASTAPI.OLD) and a trusted location (C:\windows\system32\badfile.dll), RASDIALER will copy the old log file to the linked location as the SYSTEM user. Because there is a file hijacking vulnerability in the System Orchestrator service, many PoCs use the location C:\Windows\System32\WindowsCoreDeviceInfo.dll, which does not exist in a default configuration, but System Orchestrator Service will load if it does exist,
The attack looks something like:
Many PoC exploits leverage <https://github.com/googleprojectzero/symboliclink-testing-tools> which allow for the manipulation of symbolic links and mount points and also <https://github.com/itm4n/UsoDllLoader> to start the System Orchestrator service to launch the dll.
While the exploit is difficult, there are several PoC exes out there, and a metasploit module in progress, so I consider the exploitability relatively easy, though the exploit itself is difficult.
Assessed Attacker Value: 3
Assessed Attacker Value: 3Assessed Attacker Value: 3
packetstormsecurity.com/files/156576/Microsoft-Windows-Kernel-Privilege-Escalation.html
packetstormsecurity.com/files/157615/Service-Tracing-Privilege-Escalation.html
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0668
portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0668
www.zerodayinitiative.com/advisories/ZDI-20-257
7.8 High
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
7.2 High
CVSS2
Access Vector
LOCAL
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:L/AC:L/Au:N/C:C/I:C/A:C